Use Flask-WTForms because it adds CSRF protection

4 files changed, 18 insertions, 8 deletions

diff --git a/forms.py b/forms.py
index c560776..695b075 100644
--- a/forms.py
+++ b/forms.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-from wtforms import Form, validators, TextField, PasswordField
+from flask.ext.wtf import Form, validators, TextField, PasswordField
 
 username = TextField('Benutzername', [validators.Length(min=4, max=20)])
 
diff --git a/requirements.txt b/requirements.txt
index 327efd6..e0ad29e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,6 @@
-Flask==0.6
+Flask>=0.6
+Flask-WTF
+Werkzeug>=0.6
+Jinja2>=2.4
+WTForms>=1.0
 python-ldap
diff --git a/templates/index.html b/templates/index.html
index cb9c238..9177dea 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -7,8 +7,11 @@
 {%- else %}
 <p><a href="/register">Account erstellen</a></p>
 <form action="" method="post">
-  {{ render_field(form.username) }}
-  {{ render_field(form.password) }}
+  <dl>
+    {{ render_field(form.username) }}
+    {{ render_field(form.password) }}
+  </dl>
+  {{ form.csrf_token }}
   <input type="submit" value="Login" />
 </form>
 {%- endif %}
diff --git a/templates/register.html b/templates/register.html
index 094056e..f39c4a9 100644
--- a/templates/register.html
+++ b/templates/register.html
@@ -3,10 +3,13 @@
 {%- set title = 'Account erstellen' %}
 {%- block content %}
 <form action="" method="post">
-  {{ render_field(form.username) }}
-  {{ render_field(form.mail) }}
-  {{ render_field(form.password) }}
-  {{ render_field(form.password_confirm) }}
+  <dl>
+    {{ render_field(form.username) }}
+    {{ render_field(form.mail) }}
+    {{ render_field(form.password) }}
+    {{ render_field(form.password_confirm) }}
+  </dl>
+  {{ form.request_token }}
   <input type="submit" value="Registrieren" />
 </form>
 {%- endblock %}